Windows Server 2016 Active Directory Improvements

Windows Server 2016 shall go out this year and on what's being said already we wanted to focus today on Active Directory Improvements. Active directory is core directory service in most businesses and especially SMBs do rely on AD in their environment. Currently, we have the TP4 available so the screenshots in this post will vary when the final piece will get released, later this year.

The 2008R2 brought, for example, an Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. Features like this are really useful for admins, even if modern backup products can add second level protection on that as well. On what we know, there will be new functional levels for the forest and for the domain. It's quite logical, every new release of Windows Server brings new enhancements and new features, which are backward compatible, usually.

Windows Server 2016 Active Directory (AD) levels – As for now, we can see the-the 2016 forest and domain functional level will be updated. Right now they are named Windows Server Technical Preview levels, but that's just because the product isn't released just yet.

Windows Server 2003 which is no longer supported since few months, isn't on the list… The 2003 server model used File Replication Service (FRS) as a replication model between partners. Then from the 2008 Server and higher, Distributed File Service (DFS) is used instead. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL.

On the screenshot below, we can see that all other levels will be supported as well. Right down from Windows Server 2008, 2008R2, 2012 or 2012R2.

Other new feature in the Windows Server 2016 Active Directory:

Privileged Access Management – This PAM feature allows mitigating security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing … this is very interesting how it works.

Tere is a new term called Just Enough Access (JEA) allows a certain task for users with a certain privilege, a user can request the privilege and then be able to perform the task for a limited amount of time. An administrator can specify what that time period might be, and after that time period elapses, the privileged account can no longer be used.

Similar way, Just In Time (JIT) allows doing certain admin tasks within certain time period. PAM Just-in-Time and just enough administration can be deployed independently or together. You can check further details on PAM on Technet. Worth the read.

Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that go beyond passwords. This form of authentication relies on a breach, theft, and phish-resistant credentials.

Group Membership Expiration – Windows Server 2016 adds support for group membership expirations, allowing you to add a user to a group for a certain period of time. Very interesting indeed for folks you want to give them access for a limited time period only.

The latest TP release has added:

Nano Server supports the DNS Server and IIS server roles, as well as MPIO, VMM, SCOM, DSC push mode, DCB, Windows Server Installer, and the WMI provider for Windows Update. Its Recovery Console supports editing and repairing the network configuration. A Windows PowerShell module is now available to simplify building Nano Server images.

Hyper-V Containers encapsulates each container in a light-weight virtual machine.

Deprecated features:

NAP – Network Access protection

This post is no mean to be complete. I only had time to focus on some parts of AD, but stay tuned for more as we're adding new content daily. You can subscribe via e-mail, to our newsletter (right down there is a link to Nested vSphere LAB Free E-book) and you'll get 1 weekly e-mail with our latest articles.

About Vladan SEGET

This website is maintained by Vladan SEGET. Vladan is as an Independent consultant, professional blogger, vExpert x11, Veeam Vanguard x5, VCAP-DCA/DCD, VCP, ESX Virtualization site has started as a simple bookmarking site, but quickly found a large following of readers and subscribers.